palo_alto 0.2.7 → 0.3.1

data/lib/palo_alto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PaloAlto
-  VERSION = '0.2.7'
+  VERSION = '0.3.1'
 end

data/lib/palo_alto.rb

@@ -74,30 +74,36 @@ module PaloAlto
 
   module Helpers
     class Rest
+      @global_lock = Mutex.new
+
       def self.make_request(opts)
         options = {}
-        options[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
-        options[:timeout] = 60
+        options[:verify_ssl] ||= OpenSSL::SSL::VERIFY_PEER
 
-        headers                  = {}
-        headers['User-Agent']    = 'ruby-keystone-client'
-        headers['Accept']        = 'application/xml'
-        headers['Content-Type'] = 'application/x-www-form-urlencoded'
+        headers = {
+          'User-Agent': 'ruby-keystone-client',
+          'Accept': 'application/xml',
+          'Content-Type': 'application/x-www-form-urlencoded'
+        }
 
         # merge in settings from method caller
         options = options.merge(opts)
         options[:headers].merge!(headers)
 
-        thread = Thread.current
-        unless thread[:http]
-          thread[:http] = Net::HTTP.new(options[:host], options[:port])
-          thread[:http].use_ssl = true
-          thread[:http].verify_mode = options[:verify_ssl]
-          thread[:http].read_timeout = thread[:http].open_timeout = options[:timeout]
-          thread[:http].set_debug_output($stdout) if options[:debug].include?(:http)
-        end
+        http_client = nil
 
-        thread[:http].start unless thread[:http].started?
+        @global_lock.synchronize do
+          Thread.current[:http_clients] ||= {}
+
+          unless (http_client = Thread.current[:http_clients][options[:host]])
+            http_client = Net::HTTP.new(options[:host], 443)
+            http_client.use_ssl = true
+            http_client.verify_mode = options[:verify_ssl]
+            http_client.read_timeout = http_client.open_timeout = (options[:timeout] || 60)
+            http_client.set_debug_output(options[:debug].include?(:http) ? $stdout : nil)
+            Thread.current[:http_clients][options[:host]] = http_client
+          end
+        end
 
         payload = options[:payload]
         post_req = Net::HTTP::Post.new('/api/', options[:headers])
@@ -109,7 +115,9 @@ module PaloAlto
           post_req.set_form_data(payload)
         end
 
-        response = thread[:http].request(post_req)
+        http_client.start unless http_client.started?
+
+        response = http_client.request(post_req)
 
         case response.code
         when '200'
@@ -159,18 +167,26 @@ module PaloAlto
   end
 
   class XML
-    attr_accessor :host, :port, :username, :password, :auth_key, :verify_ssl, :debug
+    attr_accessor :host, :username, :auth_key, :verify_ssl, :debug, :timeout
+
+    def pretty_print_instance_variables
+      super - [:@password, :@subclasses, :@subclasses, :@expression, :@arguments]
+    end
+
+    def execute(payload, skip_authentication: false)
+      if !auth_key && !skip_authentication
+        get_auth_key
+      end
 
-    def execute(payload)
       retried = false
       begin
         # configure options for the request
         options = {}
         options[:host]       = host
-        options[:port]       = port
         options[:verify_ssl] = verify_ssl
         options[:payload]    = payload
         options[:debug]      = debug
+        options[:timeout]    = timeout || 180
         options[:headers]    = if payload[:type] == 'keygen'
                                  {}
                                else
@@ -182,14 +198,14 @@ module PaloAlto
         start_time = Time.now
         text = Helpers::Rest.make_request(options)
         if debug.include?(:statistics)
-          warn "Elapsed for API call #{payload[:type]}/#{payload[:action] || '(unknown action)'}: #{Time.now - start_time} seconds"
+          warn "Elapsed for API call #{payload[:type]}/#{payload[:action] || '(unknown action)'} on #{host}: #{Time.now - start_time} seconds"
         end
 
         warn "received: #{Time.now}\n#{text}\n" if debug.include?(:received)
 
         data = Nokogiri::XML.parse(text)
         unless data.xpath('//response/@status').to_s == 'success'
-          warn 'command failed'
+          warn "command failed on host #{host} at #{Time.now}"
           warn "sent:\n#{options.inspect}\n" if debug.include?(:sent_on_error)
           warn "received:\n#{text.inspect}\n" if debug.include?(:received_on_error)
           code = data.at_xpath('//response/@code')&.value.to_i # sometimes there is no code :( e.g. for 'op' errors
@@ -206,27 +222,29 @@ module PaloAlto
           'Commit lock is not currently held by',
           'You already own a config lock for scope '
         ]
-        if retried || dont_retry_at.any? { |x| e.message.start_with?(x) }
-          raise e
-        else
-          warn "Got error #{e.inspect}; retrying" if debug.include?(:warnings)
-          retried = true
-          get_auth_key if e.is_a?(SessionTimedOutException)
-          retry
-        end
+        raise e if retried || dont_retry_at.any? { |x| e.message.start_with?(x) }
+
+        warn "Got error #{e.inspect}; retrying" if debug.include?(:warnings)
+        retried = true
+        get_auth_key if e.is_a?(SessionTimedOutException)
+        retry
       end
     end
 
-    def commit!(all: false, device_groups: nil, wait_for_completion: true)
-      return nil if device_groups.is_a?(Array) && device_groups.empty?
+    def commit!(all: false, device_groups: nil, templates: nil, wait_for_completion: true, wait: 5, timeout: 480)
+      return nil if device_groups.is_a?(Array) && device_groups.empty? && templates.is_a?(Array) && templates.empty?
 
       cmd = if all
               'commit'
             else
               { commit: { partial: [
                 { 'admin': [username] },
-                device_groups ? { 'device-group': device_groups } : nil,
-                'no-template',
+                if device_groups
+                  device_groups.empty? ? 'no-device-group' : { 'device-group': device_groups }
+                end,
+                if templates
+                  templates.empty? ? 'no-template' : { 'template': templates }
+                end,
                 'no-template-stack',
                 'no-log-collector',
                 'no-log-collector-group',
@@ -238,10 +256,11 @@ module PaloAlto
             end
       result = op.execute(cmd)
 
-      return result unless wait_for_completion
-
       job_id = result.at_xpath('response/result/job')&.text
-      wait_for_job_completion(job_id) if job_id
+
+      return result unless job_id && wait_for_completion
+
+      wait_for_job_completion(job_id, wait: wait, timeout: timeout) if job_id
     end
 
     def full_commit_required?
@@ -289,7 +308,9 @@ module PaloAlto
         cmd = { request: { "#{area}-lock": { add: { comment: comment || '(null)' } } } }
         op.execute(cmd, type: type, location: location)
         true
-      rescue PaloAlto::InternalErrorException
+      rescue PaloAlto::InternalErrorException => e
+        return true if e.message.start_with?('You already own a config lock for scope ')
+
         false
       end
     end
@@ -329,21 +350,25 @@ module PaloAlto
       }
     end
 
-    def wait_for_job_completion(job_id, wait: 5, timeout: 300)
+    def wait_for_job_completion(job_id, wait: 5, timeout: 600)
       cmd = { show: { jobs: { id: job_id } } }
       start = Time.now
       loop do
-        result = op.execute(cmd)
-        status = result.at_xpath('response/result/job/status')&.text
-        return result unless %w[ACT PEND].include?(status)
-
+        begin
+          result = op.execute(cmd)
+          status = result.at_xpath('response/result/job/status')&.text
+          return result unless %w[ACT PEND].include?(status)
+        rescue => e
+          warn [:job_query_error, e].inspect
+        end
         sleep wait
         break unless start + timeout > Time.now
       end
       false
     end
 
-    def revert!(all: false)
+    # wait: how long revert is retried (every 10 seconds)
+    def revert!(all: false, wait: 60)
       cmd = if all
               { revert: 'config' }
             else
@@ -359,26 +384,31 @@ module PaloAlto
                 { 'shared-object': 'excluded' }
               ] } } }
             end
-      op.execute(cmd)
+
+      waited = 0
+      begin
+        op.execute(cmd)
+      rescue StandardError => e
+        puts 'Revert failed; waiting and retrying'
+        sleep 10
+        waited += 1
+        retry while waited < wait
+        raise e
+      end
     end
 
-    def initialize(host:, port:, username:, password:, debug: [])
-      self.host      = host
-      self.port      = port
-      self.username = username
-      self.password = password
-      self.verify_ssl = OpenSSL::SSL::VERIFY_NONE
-      self.debug = debug
+    def initialize(host:, username:, password:, verify_ssl: OpenSSL::SSL::VERIFY_NONE, debug: [])
+      @host       = host
+      @username   = username
+      @password   = password
+      @verify_ssl = verify_ssl
+      @debug      = debug
 
       @subclasses = {}
 
       # xpath
       @expression = :root
       @arguments = [Expression.new(:this_node), []]
-
-      # attempt to obtain the auth_key
-      # raise 'Exception attempting to obtain the auth_key' if (self.class.auth_key = get_auth_key).nil?
-      get_auth_key
     end
 
     # Perform a query to the API endpoint for an auth_key based on the credentials provided
@@ -386,10 +416,10 @@ module PaloAlto
       # establish the required options for the key request
       payload = { type: 'keygen',
                   user: username,
-                  password: password }
+                  password: @password }
 
       # get and parse the response for the key
-      xml_data = execute(payload)
+      xml_data = execute(payload, skip_authentication: true)
       self.auth_key = xml_data.xpath('//response/result/key')[0].content
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: palo_alto
 version: !ruby/object:Gem::Version
-  version: 0.2.7
+  version: 0.3.1
 platform: ruby
 authors:
 - Sebastian Roesner
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-01-19 00:00:00.000000000 Z
+date: 2022-09-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri